ABSTRACT 

his  paper  shows  that  no  simple, 
common-sense  rule  of  thumb  can  be 
used  to  identify  a  most-vital  arc, 
even  in  a  simple  maximum-flow  problem. 
The  correct  answer  requires  analysis  equiv¬ 
alent  in  difficulty  to  completely  solving  the 
maximum-flow  problem,  perhaps  repeat¬ 
edly.  This  insight  generalizes  to  finding  a 
most-vital  component,  or  set  of  components, 
in  a  system  whose  operation  is  described 
by  a  more  general  model.  Our  paper  shows 
how  to  evaluate  the  criticality  of  sets  of 
components,  how  to  assess  the  worst-case 
set  of  components  that  might  be  lost  to  a 
given  number  of  simultaneous  hostile  at¬ 
tacks  (or  engineering  failures,  or  losses  to 
Mother  Nature),  and  how  to  allocate  limited 
defensive  resources  to  minimize  the  max¬ 
imum  damage  from  a  subsequent  attack. 
Collateral  insights  include  the  fact  that  there 
is  no  way  to  prioritize  individual  components 
by  criticality,  and  that  the  analysis  that 
determines  critical  component  sets  also 
yields  objective  assessments  of  operational 
system  resilience  and  can  provide  con¬ 
structive  advice  on  how  to  increase  it. 


INTRODUCTION 

When  determining  how  best  to  protect 
infrastructure  systems  from  attack,  a  natu¬ 
ral  question  is,  "What  components  are  most 
critical?"  or,  equivalently,  "which  set  of 
components  will  be  most  disruptive  to  the 
system  if  lost?"  A  critical  component  (or  set 
of  components)  is  one  whose  loss  would 
significantly  reduce  system  function  rela¬ 
tive  to  the  reduction  from  losing  other 
components.  For  example,  consider  a 
maximum-flow  model,  in  which  a  network 
of  capacitated  arcs  is  used  to  model  the 
possible  flows  of  a  single  commodity  (such 
as  highway  traffic,  or  water,  natural  gas, 
rail  traffic,  telecommunications  traffic,  jobs 
in  a  job  shop,  etc.)  from  an  origin  node  to 
a  destination  node  through  a  set  of  inter¬ 
mediate  nodes.  The  system  operator  seeks 
to  move  as  much  material  through  the  net¬ 
work  from  origin  to  destination  as  the  arc 
capacities  will  allow.  A  classic  result  in  the 
theory  of  network  flows  states  that  the 
maximum  flow  volume  is  equal  to  the  min¬ 
imum  capacity  of  any  cut,  where  a  cut  is 
a  set  of  arcs  such  that  every  path  from  the 


origin  to  the  destination  passes  through 
at  least  one  arc  in  the  set,  and  the  capacity 
of  that  cut  is  the  sum  of  the  capacities  of 
the  arcs  in  the  cut.  The  loss  of  all  of  the  arcs 
in  any  cut  therefore  reduces  the  maximum- 
flow  volume  to  zero,  and  so  any  cut  is  a  set 
of  critical  arcs.  But  what  about  smaller  sets 
of  arcs? 

In  this  paper,  we  revisit  the  definition 
of  a  most-vital  arc  (or,  more  generally,  com¬ 
ponent)  as  one  whose  removal  decreases 
the  resulting  maximum  flow  by  the  greatest 
amount,  illustrating  it  using  a  historical 
example:  the  Soviet  railroad  system  in  the 
1950s.  Despite  the  conceptual  simplicity  of 
this  definition,  no  simple  rule  exists  for  actu¬ 
ally  identifying  such  an  arc.  We  use  this  exam¬ 
ple  to  motivate  an  attacker-defender  system 
interdiction  model,  which  identifies  the  worst- 
case  disruption  that  an  intelligent  and  ob¬ 
servant  adversary  can  mount  given  limited 
attack  capability.  We  then  show  that  trac¬ 
ing  out  the  worst-case  disruption  as  a  func¬ 
tion  of  attack  capability  provides  a  natural 
means  to  assess  the  resilience  of  the  system 
as  a  whole.  This  analysis  yields  a  corollary 
result  that  common-sense  rules  of  thumb 
for  ranking  the  importance  or  criticality  of 
individual  system  components  are  invalid. 
Finally,  we  introduce  a  definition  of  "op¬ 
erational  resilience"  that  follows  naturally 
from  this  early  work  on  most-vital  arcs  and 
maximum-flow  problems. 


BACKGROUND 

The  study  of  vital  arcs  is  intimately 
tied  to  the  study  of  network  flow  prob¬ 
lems,  and  both  have  their  roots  in  military 
operations  research.  As  documented  by 
Schrijver  (2002),  early  work  on  the  maximum- 
flow  minimum-cut  (max-flow  min-cut)  theo¬ 
rem  for  network  flows  was  conducted  at 
the  RAND  Corporation  (e.g..  Ford  and 
Fulkerson  1954,  Fulkerson  and  Dantzig  1954, 
Dantzig  and  Fulkerson  1955)  alongside  a 
study  that  specifically  investigated  the  car¬ 
rying  capacity  of  the  Soviet  railway  system 
to  convey  military  materiel  from  the  Soviet 
Union  to  confront  North  Atlantic  Treaty  Or¬ 
ganization  forces  (Harris  and  Ross  1955). 
Later  at  RAND,  Wollmer  (1963)  studied  rail 
systems  "to  find  the  link,  which  if  re¬ 
moved,  would  reduce  the  capacity  of  the 
network  the  most."  Such  a  link  became 
known  as  the  most-vital  arc. 
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OPERATIONAL  RESILIENCE  OF  SYSTEMS 


Wollmer  (1964)  considers  a  more  general 
version  that  we  might  call  the  k  most-vital  arcs 
problem:  "given  a  maximum  flow  network 
from  which  n  links  are  to  be  removed,  which  n 
arcs,  if  removed,  would  reduce  the  maximum 
flow  from  source  to  sink  the  most  and  what 
would  be  the  maximum  flow?"  (Wollmer  used 
n  instead  of  k,  but  we  prefer  the  latter  to  avoid 
confusion  with  the  standard  definition  of  n  as 
the  number  of  nodes  in  a  network  flow  model.) 
Wollmer  solves  this  problem  by  taking  the  to¬ 
pological  dual  of  the  original  maximum-flow 
problem,  so  that  finding  the  minimum  cut  is 
equivalent  to  finding  the  shortest  path  through 
the  dual.  A  drawback  of  Wollmer 's  technique 
is  that  it  requires  the  original  graph  to  be  pla¬ 
nar,  meaning  that  it  can  be  drawn  so  that 
no  two  arcs  intersect  each  other  except  at 
nodes.  This  transformation  converts  the  origi¬ 
nal  maximum-flow  problem  to  a  shortest-path 
formulation  where  one  seeks  the  k  arcs  in  the 
dual  that  when  assigned  zero  length  reduce 
the  shortest  path  the  most. 

This  early  work  spawned  a  flurry  of  activ¬ 
ity  in  model  extensions  for  maximum-flow  in¬ 
terdiction  problems  and  improvements  to  the 
algorithms  for  solving  them.  Wollmer  (1968) 
studies  a  stochastic  variation  of  this  problem 
in  which  the  reduction  in  capacity  on  each  in¬ 
terdicted  arc  is  a  random  variable  with  known 
mean  and  variance,  and  the  overall  goal  is  to 
identify  within  specified  confidence  intervals 
the  k  arcs  that  maximally  reduce  the  expected 
capacity  of  the  network.  Lubore  et  al.  (1971) 
provide  a  more  efficient  algorithm  for  solving 
Wollmer's  original  (1963)  problem.  McMasters 
and  Mastin  (1970)  introduce  a  "budgetized"  ver¬ 
sion  of  the  problem:  given  a  cost  for  removing 
each  arc  and  an  overall  interdiction  budget,  find 
the  set  of  arcs  whose  removal  decreases  the 
maximum  flow  the  most.  Ratliff  et  al.  (1975) 
provide  a  technique  for  finding  k  most-vital 
arcs  that  works  for  both  planar  and  nonplanar 
networks.  Corley  and  Chang  (1974)  consider  the 
problem  of  finding  the  k  most-vital  nodes  that, 
if  removed,  would  reduce  the  maximum  flow 
the  most.  They  show  that  this  can  be  solved 
by  augmenting  the  original  flow  network  such 
that  each  node  is  replaced  by  a  pair  of  nodes 
connected  by  a  single  arc,  and  then  solving  for 
the  k  most-vital  of  these  augmented  arcs. 


Not  surprisingly,  the  notion  of  "most  vital" 
has  also  been  studied  from  the  perspective  of 
shortest  path  problems.  Fulkerson  and  Harding 
(1977)  show  how  to  use  a  limited  budget  for 
lengthening  arcs  in  order  to  maximize  the 
shortest  path.  Golden  (1977)  solves  for  the 
least-cost  means  of  lengthening  arcs  so  as  to 
increase  the  shortest  path  in  a  network  above 
a  specified  length.  Corley  and  Sha  (1982)  con¬ 
sider  the  problem  of  finding  the  most-vital  arc 
(and  node)  within  a  shortest  path  problem, 
where  all  arc  costs  are  the  same.  Malik  et  al. 
(1989)  provide  an  improved  algorithm  for 
solving  this  problem.  Ball  et  al.  (1989)  estab¬ 
lish  the  NP-hardness  of  most-vital-arc  (and 
most-important-arc)  problems  in  a  shortest 
path  context. 

The  study  of  vital  arcs  has  recently  con¬ 
tinued  in  the  context  of  network  interdiction 
problems,  starting  with  Wood  (1993).  An  impor¬ 
tant  part  of  this  work  has  been  the  connection 
to  two-person  zero-sum  games  (Washburn  and 
Wood  1995),  and  their  application  to  stochastic 
network  interdiction  (Cormican  et  al.  1998), 
shortest  path  problems  (Israeli  and  Wood  2002), 
and  multicommodity  network  models  (Lim 
and  Smith  2007).  Most  recently,  these  ideas 
have  been  applied  to  the  study  of  critical  infra¬ 
structure  systems  (e.g.,  Brown  et  al.  2005, 2006), 
with  specific  attention  toward  electric  power 
systems  (Salmeron  et  al.  2004, 2009),  facility  lo¬ 
cation  problems  (e.g..  Church  and  Scaparra 
2006,  Scaparra  and  Church  2008),  supply  chain 
networks  (Snyder  et  al.  2006),  telecommunica¬ 
tion  systems  (Murray  et  al.  2007),  and  transpor¬ 
tation  problems  (Alderson  et  al.  2011).  Lunday 
and  Sherali  (2012)  pose  and  solve  some  min- 
max  models  depicting  interdiction  planning 
to  maximize  the  probability  of  intercepting  a 
lone  evader  attempting  to  traverse  a  network 
from  some  source  to  some  destination.  Both 
overt  and  covert  search  efforts  are  considered, 
and  types  of  resources,  when  combined,  can 
return  super-additive  improvements  in  search 
effectiveness. 


THE  1950S  SOVIET  RAIL  SYSTEM 

Harris  and  Ross  (1955)  model  the  move¬ 
ment  of  military  materiel  from  the  Soviet  Union 
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into  Europe  as  a  network  flow  problem,  using 
vertices  to  represent  geographically  distributed 
"railway  divisions,"  and  arcs  to  abstract  the 
aggregate  capacity  of  the  rail  connections  be¬ 
tween  each  pair  of  adjacent  divisions.  In  this 
case  the  minimum  cut  represents  not  only  the 
capacity  of  the  network  as  a  whole,  but  also 
identifies  the  arcs  whose  removal  would  yield 
a  complete  interdiction  of  network  flows.  Fig¬ 
ure  1  depicts  the  rail  system  studied  in  Harris 
and  Ross. 

Whereas  a  maximum-flow  problem  of  this 
scale  was  considered  large  at  the  time,  modern 
modeling  languages  and  computing  power 
make  it  the  kind  of  problem  that  students 
might  solve  as  a  homework  assignment.  A 
much  more  difficult  problem  to  solve,  and 
one  that  is  more  aligned  with  modern  inter¬ 
ests,  is:  which  arc  or  subset  of  arcs  is  most 
vital  to  the  movement  of  materiel  through 
this  network?  The  operational  importance 
of  this  question  is  immediate.  An  adversary 


looking  to  use  limited  attack  resources  wants 
to  plan  effects-based  targeting  (e.g.,  DoD  2002, 
p.  1-5).  Or  a  defender  of  this  system  wants 
to  know  where  to  invest  limited  defensive 
resources  in  order  to  obtain  mission  assur¬ 
ance,  i.e.,  the  ability  to  maintain  through¬ 
put  capacity  even  in  the  presence  of  limited 
disruptions.  We  proceed  in  support  of  these 
objectives. 

Minimizing  Maximum  Flow 

Consider  a  transportation  system  operator 
who  is  moving  some  commodity  (materiel,  fuel, 
etc.)  through  a  capacitated  flow  network  con¬ 
sisting  of  a  directed  graph  G  =  ( N ,  E),  where  N 
is  a  set  of  nodes,  £  is  a  set  of  undirected  edges 
connecting  node  pairs  (where  we  assume  i  <  j 
for  all  edges  ( i ,  j)  G  £),  and  each  edge  has  two 
associated  directed  arcs  ( i ,  j)  G  A  and  (j,  i)  G  A, 
one  in  each  direction,  and  the  combined  flows 
on  these  two  arcs  has  an  upper  bound  uy.  The 


Figure  1.  The  Soviet  rail  system,  circa  1955,  as  presented  by  Harris  and  Ross  (1955).  Nodes  represent  organiza¬ 
tional  units  called  "divisions,"  and  arcs  represent  the  aggregate  capacity  to  move  cargo  (measured  in  thousands 
of  tons)  between  divisions. 
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operator's  objective  is  to  maximize  the  flow 
through  this  network  from  some  distinguished 
source  node  s  to  some  other  distinguished  ter¬ 
minal  node  f. 

Suppose  that  an  attacker  has  the  capability 
to  damage  a  limited  number  of  edges,  render¬ 
ing  each  arc  associated  with  such  a  damaged 
edge  useless,  and  must  decide  which  edges 
in  the  network  to  destroy  so  that  the  opera¬ 
tor's  maximum  flow  is  minimized — perhaps 
to  zero.  We  formulate  problem  MINMAXFLOW 
as  follows. 

Index  Use 

i  £  N  node  (alias  j);  where  n  =  \N\ 
s,  t  origin  (source)  node,  and  destination 

(terminal)  node 

(z,  ])  £  E  undirected  edge  between  nodes  z 
and  j;  where  m=\E\i  <  j  V(z, j)  G  E 
(z,  j )  £  A  arc  directed  from  node  z  to  node  j 

0 hi)  e  E  i  <  j  A  (( i,  j)  g  A  A  ( j ,  i)  £  A) 

Data  [units] 


Un  upper  bound  on  total  (undirected) 

flow  on  edge  (z,  j)  [flow] 

Vij  per-unit  penalty  cost  on  damaged 

arc  (i,j)  G  A  [cost /flow] 

num_attacks  maximum  number  of  edges  the 
attacker  can  destroy  [cardinality] 

Decision  Variables  [units] 

Y{j  defender  flow  on  directed  arc  (z,  j)  G  A 
[flow] 

Xij  1  if  attacker  destroys  undirected  edge 
(z,  j)  G  E,  0  otherwise  [binary] 

Minimax  optimization  of  flow  [dual  variables] 


mm 

XeE 


max  Yt,s  ~  E  ( VijYij  +  VjtiYjti)Xij 
Y  (».z)e£ 

si.  E  Yij~  E  Yj,i  =  0  Vi  G  N  [a,] 

(i,j)eA  (z’jZ)eA 

0-r,,  ‘  Y,,  -  uLl  V(z,;)gE  W,j] 


where 


Xe 


E 

(i,fl  6E 


X^j  <  num_attacks 
Xij  £  {0, 1}  V(z, ;)  G  E 


We  have  added  dual  variables,  «  and  /f, 
to  the  balance-of-flow  and  capacity  constraints 
in  the  maximum-flow  inner  problem.  These 
will  help  us  reformulate  (and  solve)  the  min- 
max  problem.  The  (finite)  penalty  cost  vhj  can 
be  chosen  to  be  any  number  greater  than  1; 
any  unit  of  flow  across  an  attacked  edge  will 
contribute  one  unit  of  flow  to  the  objective 
(indirectly  via  the  balance  of  flow  constraints 
and  Y(/S),  but  will  cost  at  least  that  much  in 
terms  of  penalties  paid  directly  on  that  arc. 
If  t>i  j  =  1,  then  the  operator  is  completely  in¬ 
different  to  sending  flow  over  arcs  associated 
with  the  interdicted  edge,  and  the  resulting 
problem  may  therefore  have  many  equivalent 
optimal  solutions.  For  any  value  Vjj  >  1,  he 
will  be  penalized  for  that  flow,  and  therefore 
will  not  send  any  flow  across  the  interdicted 
arc.  Because  we  typically  require  that  our 
data  be  integer,  iz,  y  =  2  is  an  obvious  choice. 
The  case  in  which  0  <  Vj  <  1  might  be  inter¬ 
preted  as  fractional  losses  across  a  particular 
arc  (perhaps  from  a  leak  in  a  pipe),  but,  un¬ 
fortunately,  this  doesn't  work  out;  the  bal¬ 
ance  of  flow  constraints  still  deliver  all  of 
the  flow  to  Y t  s,  and  all  that  a  fractional  penalty 
does  is  change  the  objective  function  without 
changing  the  arc  flows  in  the  maximum-flow 
solution. 

The  limitations  on  the  attacker's  actions 
are  simple  cardinality  constraints;  however, 
we  can  easily  adapt  these  to  situations  in 
which  some  edges  are  more  costly  to  destroy 
than  others  in  terms  of  some  resource  limiting 
the  attacker,  and  there  could  even  be  multi¬ 
ple  constraints  on  various  attacker  resources 
such  as  manpower,  ordnance,  delivery  capac¬ 
ity,  etc.  Neither  of  these  poses  any  concep¬ 
tual  or  algorithmic  difficulty  for  solving  these 
problems. 

If  we  wish  to  make  an  arc  (or  set  of  arcs) 
invulnerable,  we  just  set  the  penalty  cost  for 
each  invulnerable  arc  to  zz,;  =  0.  Then  in¬ 
terdiction  of  the  edge  associated  with  that 
arc  has  no  effect  on  the  operator's  flow  across 
the  arc,  and  would  be  wasted  effort  for  the 
attacker. 

By  taking  the  dual  of  the  inner  (maximiza¬ 
tion)  problem,  we  obtain  an  equivalent  mixed 
integer  linear  program  minimizing  flow,  de¬ 
noted  DUAL-ILP. 
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min 

a,/3,X 


X!  UljP'i 

(v)e  E 


s.t. 


cii  -  dj  + (3 ij  +  VijXij  >  0  V(z,/')  G  E 

aj  -  otj  +  f3jj  +  VjjXi  j  ■  0  V(z,  j)  G  E 

at-as+  [3ts  >  1 

Xq  <  num_attacks 

(ij)  6E 


as  =  0 

Pi,j  —  0  V(z,;)  G  E 

Xij  G  {0,1}  V(z, j)  G  E 


Here  we  fix  as  =  0  as  is  customary  in  min- 
cut  formulations  (see  Ahuja  et  al.  1993):  the  dual 
variables  a  only  appear  as  pairwise  differences, 
and  therefore  have  an  extra  degree  of  freedom 
we  can  eliminate  by  fixing  any  one  of  them 
to  a  constant  value.  Using  a  feasible  binary  at¬ 
tack  plan  X  from  this  mixed  integer  linear  pro¬ 
gram,  one  can  recover  the  operator's  residual 
flows  Y  by  solving  the  operator's  maximizing 


linear  program  for  this  fixed  X  .  (The  values  of 
the  dual  variables  do  not  directly  support  cal¬ 
culation  of  the  optimal  flows;  they  can,  in  fact, 
be  noninteger,  even  though  we  would  expect 
to  be  able  to  interpret  them  as  node  and  arc  la¬ 
bels  as  they  would  be  in  a  typical  max-flow, 
min-cut  formulation.)  The  mixed-integer  linear 
program  can  be  embellished  by  any  ILP  re¬ 
strictions  on  the  X  variables. 

Figure  2  presents  a  cosmetically  revised 
version  of  the  Soviet  rail  network  in  Harris 
and  Ross  (1955),  suitable  for  use  as  input  to 
the  mixed  integer  linear  program  interdiction 
problem.  (We  have  renumbered  some  of  the 
nodes,  and  removed  redundant  capacity  in¬ 
formation  on  some  arcs). 

We  explore  the  effect  of  an  increasing  num¬ 
ber  of  worst-case  attacks  on  the  ability  of  the 
operator  to  move  materiel  through  this  sys¬ 
tem.  That  is,  by  solving  MINMAXFLOW  for 
num_attacks  =  1,  2,  ...n,  we  discover  how  the 
system  will  perform  under  an  increasing  num¬ 
ber  of  attacks.  Figure  3  presents  the  results. 


Figure  2.  Network  used  as  input  to  the  network  interdiction  problem.  The  set  of  origin  nodes  is  { 1, 2, 3, 5, 10, 15, 
16, 17, 26},  and  the  set  of  destination  nodes  is  {42, 43, 44, 48, 49,  50}.  Edge  labels  represent  capacities  (in  1,000s  of 
tons).  (This  figure  displays  all  data  necessary  to  reproduce  the  computational  experiments  reported  in  this  paper.) 
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Number  of  Attacks 

Figure  3.  Maximum  flow  through  the  Soviet  rail  system  after  an  increasing  number  of  worst-case  attacks.  The 
solution  of  163,000  tons  for  zero  attacks  is  exactly  the  solution  to  the  original  maximum-flow  problem.  It  takes 
seven  simultaneous  attacks  to  achieve  a  complete  interdiction  of  network  flow  (i.e.,  a  cut). 


The  results  in  Figure  3  show  that  an  attacker 
obtains  approximately  linear  returns  with  each 
additional  attack.  This  is  not  good  news  for  the 
system  operator,  but  it  could  be  worse.  Many 
transport  systems  are  built  with  minimal  re¬ 
dundancy,  which,  in  the  extreme  case  of  a  span¬ 
ning  tree  (e.g.,  many  pipeline  systems),  means 
that  any  single  attack  can  yield  a  complete  in¬ 
terdiction. 

Table  1  shows  the  edges  associated  with 
each  worst-case  attack.  We  observe  that  the  sets 
of  edges  for  one  through  five  attacks  are  mono¬ 
tone  (or  nested,  or  prioritizable),  in  the  sense  that 
the  set  of  edges  for  k+ 1  attacks  includes  all  of 
the  edges  in  the  set  for  k  attacks,  plus  one  ad¬ 
ditional  edge.  This  type  of  result  suggests  the 
use  of  priority  lists  as  a  natural  means  for  orga¬ 
nizing  a  list  of  potential  targets.  However,  the 
set  of  edges  associated  with  num_attacks  =  6  does 
not  contain  the  set  for  num_attacks  =  5. 


This  problem  of  minimizing  the  maximum 
flow  is  a  specific  instance  of  a  much  broader 
class  of  problems  involving  network  (or  sys¬ 
tem)  interdiction.  Such  models  have  become 
popular  tools  for  studying  the  interaction  of 
a  strategic  attacker  and  defender.  But  in  the 
case  of  our  Soviet  rail  example,  this  seems  like 
a  lot  of  work  for  what  seems  intuitive  to  any¬ 
one  who  has  studied  network  flows. 

Identifying  the  Most-Vital  Arc 

The  connection  between  the  maximum  flow 
and  the  minimum  capacity  cut  is  so  fundamen¬ 
tal  that  it  seems  obvious  how  to  identify  the 
bottlenecks,  and  therefore  the  "most-vital"  arcs, 
in  a  maximum-flow  problem.  Indeed,  the  intui¬ 
tive  nature  of  the  problem  suggests  several  ap¬ 
pealing  rules  for  identifying  them  (Ahuja  et  al. 
1993,  p.  244): 


Table  1.  Edges  associated  with  worst-case  attacks.  For  one  to  five  attacks,  the  set  of  edges  is  monotone.  With 
seven  attacks,  we  have  a  complete  interdiction  of  network  flow. 

Attacks  Maxflow  Attacked  Edges 


0 

163 

1 

127 

(35,40) 

2 

97 

(35,40) 

(34,39) 

3 

73 

(35,40) 

(34,39) 

(37,45) 

4 

49 

(35,40) 

(34,39) 

(37,45) 

(36,41) 

5 

32 

(35,40) 

(34,39) 

(37,45) 

(36,41) 

(35,39) 

6 

15 

(34,35) 

(34,39) 

(26,38) 

(22,35) 

(24,36) 

(23,35) 

7 

0 

(35,39) 

(34,39) 

(35,40) 

(35,41) 

(36,41) 

(37,45) 
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•  An  arc  having  the  largest  capacity  is  most 
vital; 

•  An  arc  carrying  the  largest  flow  in  an  optimal 
solution  is  most  vital; 

•  An  arc  having  the  largest  capacity  in  a 
minimum-capacity  cut  is  most  vital;  or 

•  Any  most-vital  arc  is  in  some  minimum- 
capacity  cut. 

This  section  shows  that  none  of  these  intuitive 
criteria  correctly  identifies  the  most-vital  arc. 

Figure  4  illustrates  a  maximum-flow  prob¬ 
lem  with  seven  nodes  and  nine  arcs,  where 
the  system  operator  seeks  a  set  of  feasible  arc 
flows,  x/ij,  to  maximize  the  total  quantity  sent 
from  node  1  to  node  7  per  unit  time,  while 
abiding  by  individual  arc  capacity  limits,  M,;, 
and  material  balance  (inflow  =  outflow)  at 
all  intermediate  nodes.  For  this  network,  the 
maximum  flow  is  20  units,  with  arc  flows  as 
indicated  on  the  diagram,  and  there  are  two 
minimum-capacity  cuts  (illustrated  by  dashed 
curved  lines),  each  with  capacity  20,  proving 
that  the  flow  is  optimal.  In  fact,  the  most-vital 
arc  is  the  one  from  node  1  to  node  3,  denoted  as 
arc  1-3. 

If  an  arc  carries  zero  flow  in  any  optimal 
solution,  then  removing  that  arc  will  not  reduce 
the  maximum  volume  of  flow.  But  if  an  arc  car¬ 
ries  at  least  some  minimum  flow  in  every  opti¬ 
mal  solution,  then  its  removal  will  reduce  the 
optimal  solution  by  the  amount  of  that  mini¬ 
mum  flow.  If  we  let  m(a)  represent  the  minimum 
flow  across  arc  a  over  all  maximum-flow  solu¬ 
tions,  then  an  arc  a  is  a  most-vital  arc  if  it 


maximizes  m(a )  over  A.  In  Figure  1,  arc  1-3 
has  a  minimum  possible  flow  of  15  units 
(and  a  maximum  of  20)  over  all  optimal  solu¬ 
tions.  Arc  5-7  could  also  carry  as  much  as  20 
units  of  flow  in  an  optimal  solution,  but,  as  il¬ 
lustrated,  it  could  also  carry  no  flow  in  an  opti¬ 
mal  solution,  and  hence  cannot  be  a  most-vital 
arc. 


This  definition  of  a  most-vital  arc  (maximiz¬ 
ing  over  all  optimal  solutions  the  minimum 
flow  over  all  arcs)  is  conceptually  simple,  but 
computationally  complex:  We  know  of  no  sim¬ 
ple  rule  of  thumb  that  avoids  lengthy  computa¬ 
tions  and  that  can  successfully  identify  which 
arc(s)  satisfy  this  definition.  Determining  a 
most-vital  arc  (and,  more  generally,  a  set  of 
most-vital  arcs  of  any  given  size)  requires  solv¬ 
ing  a  maximum-flow  interdiction  problem  like 
MINMAXFLOW  that  is  of  size  comparable  to 
the  original  maximum-flow  problem.  Although 
straightforward  to  formulate,  larger  instances 
of  this  integer  linear  programming  problem  can 
be  very  difficult  to  solve. 

In  some  cases,  it  may  seem  easier  or  more 
convenient  to  use  random  sampling  as  an  alter¬ 
nate  means  for  selecting  "vital"  components  of 
the  system.  The  idea  is  to  specify  a  probability 
distribution  for  the  possible  combinations  of 
arc  failures  and  then  select  a  large  sample  of 
(presumably)  representative  scenarios,  keeping 
track  of  the  worst  ones.  There  are  two  potential 
problems  with  doing  this.  First,  it  is  unclear 
how  to  choose  a  "good"  probability  distribu¬ 


tion.  Second,  because  there  are 


Figure  4.  Network  with  a  maximum  flow  of  20  units  from  node  1  to  node  7  and  with  the  two  minimum-capacity 
cuts  indicated  (dashed  curves),  illustrating  a  contradiction  for  each  of  several  proposed  characterizations  of 
a  "most-vital"  arc.  Notation:  The  two  numbers  on  each  arc  are  respectively  (flow,  capacity).  Arc  1-3  is  the 
most-vital  arc;  removing  it  reduces  the  maximum  flow  to  five,  and  removing  any  other  single  arc  allows  at  least 
ten  units  of  flow  from  1  to  7  in  the  resulting  network.  Arc  5-7  has  the  largest  capacity,  arcs  5-6  and  6-7  have  the 
maximum  flow,  and  arcs  3-4,  3-5,  and  4-5  are  the  only  arcs  in  any  minimum  capacity  cut. 
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ways  to  have  k  failed  arcs,  for  k  =  1,2,  ...,  m, 
the  number  of  combinations  could  be  so  large 
that  such  sampling  is  ineffective  even  on  fast 
computers. 

To  explore  this  idea  of  sampling  a  bit  fur¬ 
ther,  we  plot  in  Figure  5  the  residual  maximum 
flow  of  the  network  under  a  large  number  of 
possible  disruptions  according  to  the  number 
of  damaged  edges  k.  In  general,  a  system  with 
k  damaged  components  will  achieve  a  range  of 
performance  values,  depending  on  which  com¬ 
ponents  are  damaged.  For  each  value  of  k, 
we  randomly  sample  (with  replacement)  10,000 
possible  configurations  of  disrupted  edges, 
where  each  edge  failure  is  equally  likely  and 


independent  of  the  others,  and  then  solve  each 
configuration  for  the  remaining  maximum  flow. 
This  allows  us  to  compare  the  distribution  of 
residual  maximum-flow  values  from  random 
sampling  with  that  of  the  optimal  (worst-case) 
attack.  For  small  k,  this  random  sampling  ob¬ 
tains  optimal  or  near-optimal  solutions,  largely 
because  the  random  sample  is  equal  in  size  or 
larger  than  the  total  number  of  configurations 
and  therefore  is  nearly  performing  an  exhaus¬ 
tive  enumeration  of  the  solution  space.  How¬ 
ever,  for  larger  k,  random  sampling  fails  to  find 
anything  close  to  the  worst-case  attack  because 
of  the  enormous  number  of  possible  attack  con¬ 
figurations  (e.g.,  there  are  more  than  1010  ways 
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Figure  5.  Random  attacks  on  the  Soviet  Railway,  compared  with  optimal  ones.  Maximum  flow  (system  per¬ 
formance)  degrades  with  an  increasing  number  of  damaged  edges.  For  num_attacks  =  1,  2,  ...,  7,  we  present 
the  worst-case  disruption,  along  with  10,000  randomly  generated  attacks.  Each  subfigure  shows  a  histogram  of 
the  frequency  with  which  random  attacks  impact  the  maximum  flow.  As  the  number  of  possible  attack  combina¬ 
tions  increases,  it  becomes  harder  and  harder  to  find  the  worst-case  attack  by  random  sampling.  In  the  main 
figure,  the  dashed  line  connects  the  worst-case  disruptions  for  this  system.  (Here  the  phrase  "resilience  curve" 
really  refers  to  a  discrete  frontier  of  points.) 
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of  choosing  seven  attacks)  and  because,  for  this 
network,  there  are  only  a  small  number  of  opti¬ 
mal  or  near-optimal  attacks. 

The  implications  of  Figure  5  are  striking: 
we  should  not  expect  random  sampling  of  fail¬ 
ure  scenarios  (e.g.,  via  simulation)  to  reliably 
answer  the  question,  "How  bad  could  it  be?" 
Rather,  we  need  to  solve  explicitly  for  worst- 
case  disruptions. 

All  this  effort  to  find  the  absolute  worst- 
case  disruption  might  seem  like  unnecessary 
work,  were  it  not  for  the  key  role  that  worst- 
case  disruptions  play  in  assessing  the  resilience 
of  the  system. 

A  Measure  of  Operational  Resilience 

The  notion  of  resilience  has  become  an  im¬ 
portant  concept  in  discussions  about  critical 
infrastructure.  In  its  2006  report,  the  Critical 
Infrastructure  Task  Force  of  the  Homeland  Se¬ 
curity  Advisory  Council  defined  resilience  as 
"the  capability  of  a  system  to  maintain  its  func¬ 
tions  and  structure  in  the  face  of  internal  and 
external  change  and  to  degrade  gracefully  when 
it  must."  The  2007  National  Strategy  for  Home¬ 
land  Security  recognizes  that  although  we  cannot 
prevent  all  disruptions,  deliberate  or  nondelib- 
erate,  we  can  work  to  ensure  "the  structural 
and  operational  resilience  of  critical  infrastruc¬ 
tures  and  key  resources"  (HSC  2007,  p.  27),  adding 
that  "We  must  now  focus  on  the  resilience  of  the 
system  as  a  whole — an  approach  that  centers 
on  investments  that  make  the  system  better 
able  to  absorb  the  impact  of  an  event  without 
losing  the  capacity  to  function"  (HSC  2007,  p.  28). 

There  is  now  a  host  of  competing  defini¬ 
tions  for  resilience  that  span  applications 
in  human  and  organizational  behavior  (e.g., 
Bennis  and  Heifetz  2003),  system  safety  (e.g., 
Hollnagel,  Woods,  and  Leveson  2006,  and  ref¬ 
erences  therein),  systems  engineering  (e.g., 
Haimes  2009),  and  control  theory  (e.g.,  Vugrin 
et  al.  2010). 

In  the  context  of  maximum-flow  problems, 
(and,  more  generally,  for  infrastructure  sys¬ 
tems),  we  propose  a  definition  for  operational 
resilience  that  follows  directly  from  our  discus¬ 
sion  of  most-vital  arcs,  and  we  introduce  the 
notion  of  a  resilience  curve  that  defines  the  re¬ 
sponse  of  a  system  to  a  range  of  disruptions. 


Consider  a  network  in  which  each  edge  is 
operating,  but  which  might  be  damaged  such 
that  some  edges  are  transformed  from  operating 
to  nonfunctional,  and  where  the  performance 
of  the  network  (here,  the  maximum-flow  vol¬ 
ume)  is  a  function  of  the  collective  state  of  its 
edges.  Let  c  be  a  vector  of  length  in,  each  element 
of  which  represents  the  binary  state  (operating 
or  not)  of  an  edge,  such  that  there  is  a  total  of 
2m  distinct  configurations  of  the  network.  For 
any  scenario  defined  by  the  vector  c  we  define 
the  magnitude  of  disruption  as 

m 

Ac= 

/  —  1 

which,  for  a  vector  of  binary  values,  is  simply 
the  number  of  failed  edges.  In  general,  the  per¬ 
formance  of  the  network  will  degrade  with  an 
increasing  number  of  failed  edges,  but  not  all 
edges  are  equally  critical  to  the  maximum  flow. 
What  does  this  mean  for  operational  resilience? 

We  introduce  the  resilience  curve  for  the 
system  as  that  which  plots  worst-case  perfor¬ 
mance  as  a  function  of  disruption  magnitude 
(see  Figure  5).  Although  these  plots  might  be 
more  properly  referred  to  as  "resilience  fron¬ 
tiers"  due  to  their  discrete  nature,  we  retain 
the  term  resilience  curves  to  maintain  a  connec¬ 
tion  to  prior  work  on  risk  curves  (Kaplan  and 
Garrick  1981),  and  because  we  will  use  styl¬ 
ized  continuous  approximations  when  the  dis¬ 
creteness  of  the  attacker's  (or  defender's)  level 
of  effort  is  not  critical  to  the  discussion.  The 
resilience  curve  communicates  considerable 
information  about  the  response  of  the  system 
to  worst-case  disruptions  of  increasing  magni¬ 
tude,  where  magnitude  is  simply  the  number 
of  failed  edges.  One  immediately  discerns  how 
the  maximum  flow  degrades  as  additional  edges 
are  damaged.  Intervals  where  there  is  little  or 
no  change  in  maximum  flow  are  called  "more 
resilient,"  and  intervals  where  there  is  greater 
change  are  called  "less  resilient." 

When  used  for  relative  comparison  be¬ 
tween  networks,  these  resilience  curves  allow 
us  to  draw  conclusions  about  dominating  al¬ 
ternatives  just  as  in  Kaplan  and  Garrick  (1981). 
For  example,  in  the  simple  case  where  the 
resilience  curve  of  one  system  (say.  System  A) 
dominates  the  resilience  curve  of  another  (say. 
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System  B),  one  can  make  assertions  such  as, 
"System  A  is  more  resilient  than  System  B" 
(Figure  6a).  However,  when  neither  curve  domi¬ 
nates  (Figure  6b),  this  type  of  simple  assertion  is 
not  possible.  In  this  way,  we  paraphrase  the 
comment  about  risk  by  Kaplan  and  Garrick, 
namely  that  "[resilience]  is  a  concept  bigger 
than  a  single  number." 

Resilience  curves  as  defined  here  show  how 
the  performance  of  a  network  changes  in  re¬ 
sponse  to  the  loss  of  edges.  When  the  size  of  dis¬ 
ruption  is  a  linear  function  of  the  resources  (e.g., 
the  number  of  people,  materials,  and  money) 
or  level  of  effort  (e.g.,  number  of  simultaneous 
attacks)  required  to  cause  it,  our  resilience  curves 
yield  a  novel  interpretation:  how  will  the  sys¬ 
tem  respond  in  the  face  of  increasing  disrup¬ 
tion?  In  the  case  of  an  intelligent  adversary, 
the  resilience  curve  of  the  system  reflects  the 
attacker's  return-on-investment  (ROI) — showing 
how  system  performance  degrades  with  incre¬ 
mental  expenditure  of  attack  resources.  Such  in¬ 
formation  can  be  vital  for  defensive  planning 
purposes,  in  that  investment  to  "raise  the  resil¬ 
ience  curve"  can  effectively  deter  an  adversary 
looking  to  use  limited  resources  to  disrupt  sys¬ 
tem  performance. 

Our  interest  in  assessing  the  operational 
resilience  of  the  system  under  any  disruption 
suggests  that  we  focus  on  the  worst-case  per¬ 
formance  of  the  system  with  k  damaged  com¬ 
ponents.  But  assessment  is  only  part  of  the 
problem:  we  need  to  know  how  to  invest  lim¬ 
ited  resources  to  maximally  improve  the  resil¬ 
ience  of  the  system.  We  again  show  that  simple 
intuitive  solutions  often  fall  short  of  the  best 
that  we  can  do. 


The  Problem  with  Prioritized  Lists 

The  Department  of  Defense  and  Depart¬ 
ment  of  Homeland  Security  typically  prioritize 
critical  infrastructure  assets  (system  compo¬ 
nents)  into  "tiers"  to  help  inform  protection  de¬ 
cisions  (DoD  2002).  A  prioritized  list  of  system 
components  can  be  a  helpful  planning  tool  for 
an  attacker  or  defender  when  budgets  are  not 
completely  known  beforehand,  because  this  de¬ 
fines  a  simple  rule  for  allocating  resources:  If 
we  can  afford  to  attack  (or  defend)  k  targets, 
choose  the  top  k  components  from  the  list.  This 
"greedy"  (myopic)  decision  rule  is  easy  to  im¬ 
plement  and  sometimes  serves  as  a  reasonable 
first  guess  at  a  solution,  but  only  in  special  cir¬ 
cumstances  does  it  optimize  use  of  resources 
(e.g..  Magazine  et  al.  1975). 

Figure  7  illustrates  a  weakness  inherent  in 
creating  any  "prioritized  list"  of  targets  (or  as¬ 
sets  or  system  components)  to  protect.  In  this 
example,  the  most-vital  single  arc  is  not  among 
the  best  choices  if  two  (or  more)  arcs  are  to  be 
removed.  More  generally,  we  observe  that  none 
of  these  most-vital  sets  is  prioritizable,  in  the 
sense  that  none  of  the  k  most-vital  arcs  is  in¬ 
cluded  in  the  set  of  fc+1  most-vital  arcs.  There¬ 
fore,  the  concept  of  identifying  a  priority  list 
with  a  "most-vital"  arc  followed  by  a  "second- 
most-vital"  arc  (or  set  of  arcs),  etc.,  is  funda¬ 
mentally  flawed,  because  how  "vital"  an  arc  is 
depends  (nonmonotonically)  on  how  many  arcs 
an  attacker  can  afford  to  target  simultaneously — or, 
more  generally,  on  the  attacker's  resources  avail¬ 
able  for  inflicting  damage.  If,  instead,  we  seek 
a  set  of  k  arcs  whose  simultaneous  removal 
most  reduces  the  resulting  maximum  flow,  then 


A  B 


Figure  6.  (a)  System  A  has  greater  resilience  than  System  B.  (b)  Neither  System  A  nor  System  B  can  be  said  to 

be  more  resilient.  System  A  is  more  resilient  to  a  smaller  number  of  attacks,  but  System  B  is  more  resilient  to 
a  larger  number  of  attacks. 
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6  7  8  9 


Figure  7.  Why  prioritized  lists  don't  always  work.  This  network  has  four  different  minimum  cut  sets,  each  yield¬ 
ing  a  maximum  flow  of  25  units.  The  single  most-vital  arc  is  the  one  with  capacity  9;  losing  it  reduces  the  max¬ 
imum  flow  to  16.  The  two  most-vital  arcs  are  the  pair  having  capacity  8  units;  losing  them  reduces  the  maximum 
flow  to  9.  The  three  most-vital  arcs  are  those  with  capacity  7,  and  the  four  most-vital  arcs  are  those  with  capacity  6. 
None  of  these  most- vital  sets  is  nested  within  another,  meaning  that  there  is  no  single  priority  list  that  accurately 
characterizes  the  importance  of  each  arc. 


in  general  we  need  to  abandon  tiers  or  priority  rank¬ 
ings,  and,  instead,  actually  solve  a  maximum- 
flow  interdiction  problem  for  each  value  of  k. 
There  is  no  simple  rule  of  thumb  for  identifying 
critical  sets  of  arcs  (or,  in  general,  components) 
without  analyzing  the  system's  operation  as  a 
whole.  Although  a  well-designed  set  of  priority 
tiers  can  sometimes  be  useful  as  an  approximate 
guide  to  how  to  allocate  resources,  especially 
when  system  performance  is  not  strongly  af¬ 
fected  by  multiway  interactions  among  compo¬ 
nents  or  subsets  of  components,  simple  rules 
cannot  find  useful  approximations  (Magazine 
et  al.  1975). 

In  the  Appendix,  we  show  how  to  con¬ 
struct,  for  any  integer  n,  a  maximum-flow  prob¬ 
lem  for  which  the  sets  of  /c-most-vital  arcs  for 
k  =  1 ,...,«  are  pairwise  disjoint.  We  then  dis¬ 
cuss  how  far  from  this  optimal  sequence  a 
prioritized  list  (which  induces  a  monotone  col¬ 
lection  of  sets  of  arcs  as  targets)  can  be,  even  if 
the  best  prioritized  list  is  found.  Finally,  we 
show  that  determining  the  best  prioritized  list 
is  a  difficult  problem  in  its  own  right,  even  when 
the  optimal  sequence  is  known. 


Additional  Index  [cardinality] 
d  £  D  defense  options  [few,  2-10] 

Additional  Data  [units] 

vfj  increased  cost  per  unit  flow  on 

directed  arc  (z,  j)  €  A  if  attacked 
under  defense  option  d  £  D 
[cost/kton] 

ufj  capacity  of  edge  (z,  j)  £  E  under 

defense  option  d  £  D  [tons] 
num_defenses  maximum  number  of  edges  the 
defender  can  protect  [cardinality] 

Decision  Variables  [units] 

Yf-  Flow  of  traffic  on  directed  arc  (z,  j)  £  A 

under  defense  option  d  £  D  [tons] 

W'l  =1  if  defense  option  d  chosen  for 
edge  (z,  j)  £  E,  0  otherwise  [binary] 

Formulation  MAXRESILIENCE 


max  min  max 

W  X  Y 


Eyi 

deD 


(i,i)e  E 

deD 


(DO) 


Improving  Resilience  with  a  Limited 
Budget 

Assume  that  we  have  the  ability  to  defend 
a  limited  number  of  edges  in  our  network, 
whereby  defending  an  edge  makes  it  invul¬ 
nerable  to  attack.  Which  edges  should  we  de¬ 
fend,  and  what  does  this  do  to  improve  the 
resilience  of  the  system?  We  can  formulate  this 
decision  problem  as  follows. 


sa-  E  Y?j-  E  y;i=°  vieN  (m) 

(»,;■)  eA  (;,«)6A 

deD  deD 

0  <  Yf-  +  Yj  -  iil^i  V(z,  j)  £  E,  Vd  e  D 

(D2) 

Xj  j  <  num_attacks  (D3) 

(V)e  E 
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V (*,_/)  e  E 

(D4) 

IX-1 

V(z, j)  G  E 

(D5) 

deD 

wfj  <  num 

_defenses 

(D6) 

deD 

wf.  e  {0, 1}  V(ij')  e£,  VdeD  (D 7) 

Discussion 

The  objective  function  (DO)  represents  the 
value  of  the  maximum  flow,  for  a  defense  op¬ 
tion  chosen  for  each  edge,  an  attack  plan,  and 
a  set  of  flows  in  the  resulting  network.  We  as¬ 
sume  there  is  a  "do  nothing"  defense  plan, 
d0  £  D,  that  grants  each  edge  its  original  ca¬ 
pacity,  uAf  =  Uij,  and  unhardened  attack  pen¬ 
alties,  vdf  =  Vij,  from  the  prior  models.  There 
could  be  several  ways  to  defend  a  particular 
edge,  each  with  a  different  penalty  and  capac¬ 
ity,  but  for  simplicity  of  exposition  we  assume 
there  are  exactly  two:  one,  do,  which  does 
nothing  to  reduce  the  damage  of  an  attack 
(rff  =  2),  and  one,  d\,  which  completely  nul¬ 
lifies  any  attack  (m1  =  0).  Constraints  (Dl)  en¬ 
force  balance  of  flow  at  each  node.  Constraints 
(D2)  limit  the  total  flow  on  the  two  directed 
arcs  associated  with  edge  (i,  j)  £  E  to  not  ex¬ 
ceed  the  total  capacity  granted  by  the  defense 
option  chosen  for  that  edge.  Constraint  (D3) 
limits  the  number  of  edges  that  can  be  attacked, 
and  (D4)  enforces  binary  decisions  about 
which  edges  are  attacked.  Constraints  (D5) 
force  the  defender  to  choose  exactly  one 
defensive  plan  per  edge.  Constraint  (D6)  limits 
the  number  of  edges  that  can  be  defended.  Of 
course,  as  was  the  case  with  the  attacker  cardi¬ 
nality  constraint,  these  could  be  generalized 
to  include  several  different  types  of  defender 
budgets.  Stipulations  (D7)  specify  that  select¬ 
ing  a  defense  option  for  each  edge  is  a  binary 
decision. 

Formulation  MAXRESILIENCE  is  an  ex¬ 
ample  of  a  defender-attacker-defender  (DAD) 
model  (Brown  et  al.  2006,  Alderson  et  al. 
2011).  For  a  given  level  of  defensive  effort, 
represented  here  as  num_defenses ,  an  optimal 
solution  identifies  which  edges  should  be 
defended  (syn.  hardened)  and  by  how  much 


this  helps  mitigate  the  impact  of  deliberate 
attacks. 

Figure  8  shows  the  resulting  resilience  curve 
when  defending  num_defenses  =  1,2 , . . .,  7  possi¬ 
ble  edges.  We  observe  that  a  single  defended 
edge  provides  little  benefit  in  terms  of  the  re¬ 
sidual  throughput  following  a  worst-case  at¬ 
tack,  but  it  does  increase  the  number  of  attacks 
needed  for  complete  interdiction  from  7  to  8. 
A  second  defense  increases  this  number  to  10, 
and  a  third  defense  increases  this  number  to 
more  than  10.  However,  in  many  cases  these 
defenses  provide  only  a  relatively  small  in¬ 
crease  to  the  actual  maximum  flow  for  a  given 
number  of  attacks.  This  chart  reveals  the  ROIs 
(in  each  attack  scenario)  that  a  defender  faces 
when  planning  defensive  investments.  If  the 
benefits  of  increased  flow  volume  can  be  stated 
in  the  same  units  as  the  costs  of  the  defenses 
(e.g.,  dollars),  then  the  tradeoffs  he  faces  in 
each  attack  scenario  can  be  evaluated  in  terms 
of  absolute  benefits. 

RELATED  WORK 

There  are  a  number  of  other  techniques 
in  use  for  assessing  criticality  of  infrastructure 
components  and  prioritizing  their  protection. 

Risk  Scoring  Techniques 

Simple  formulas  such  as  Risk  =  Threat  X 
Vulnerability  X  Consequence,  or  Risk  =  Frequency  X 
Impact,  with  judgment-based  rating  scales  or 
scores  used  to  assess  the  inputs  on  their  right- 
hand  sides,  are  widely  applied  to  assess  and 
compare  the  importance  of  individual  infra¬ 
structure  components  (e.g.,  see  ASME  2008). 
Most  such  rating  systems  do  not  account  for 
uncertainties,  correlations,  or  dependencies 
among  the  inputs;  exploit  portfolio  effects; 
help  to  diversify  protective  investments  against 
common  uncertainties  in  inputs;  or  optimize 
risk  reductions  for  resources  spent  (Cox  2009). 
Hence,  they  are  seldom  satisfactory  for  sup¬ 
porting  objectively  good  risk  management 
decisions,  although  their  popularity  suggests 
that  they  may  satisfy  other  needs,  such  as  an 
urge  to  impose  simple  structures  on  complex 
problems. 
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Figure  8.  Increases  to  the  resilience  curve  for  the  Soviet  Railway.  Defending  edges  provides  marginal  increases 
to  the  resilience  curve  when  there  are  only  a  small  number  of  attacks,  but  it  serves  to  increase  the  number  of 
attacks  required  for  complete  system  interdiction. 


Graph  Connectivity  and  Network 
Science 

Owing  in  part  to  the  massive  size  of 
modern  infrastructure  networks  and  the  vast 
amounts  of  data  now  being  collected  about 
them,  recent  efforts  in  the  study  of  "network 
science"  (NRC  2006)  have  focused  on  the  struc¬ 
ture  and  behavior  of  very  large  networks  in 
physical,  biological,  and  social  systems.  Net¬ 
work  science  measures  function  in  these  sys¬ 
tems  primarily  in  terms  of  graph  connectivity 
statistics  (Newman  2003).  In  this  context,  vital 
arcs  are  those  that  contribute  most  to  these 
graph  theoretic  measures,  such  as  the  average 
path  length  between  every  pair  of  nodes  or 
the  size  of  the  largest  connected  component 
(e.g.,  Albert  et  al.  2000;  Holme  et  al.  2002).  A 
drawback  of  this  is  that  when  applied  to  real 
systems  (e.g.,  Albert  et  al.  2004;  Schneider 
et  al.  2011),  these  simple  measures  of  connec¬ 
tivity  often  fail  to  capture  the  most  salient  fea¬ 
tures  of  network  function  (e.g.,  Doyle  et  al. 
2005,  Hines  et  al.  2010),  making  them  of  limited 
value  to  operators  of  real  network-centric  in¬ 
frastructure  systems  (Alderson  2008,  Alderson 
and  Doyle  2010). 


CONCLUSION 

No  simple  rule(s)  of  thumb  can  identify 
the  most-critical  system  components  when  the 
components  work  together  to  deliver  system 
capacity,  such  as  throughput.  Rather,  the  critical¬ 
ity  of  components  depends  on  which  sets  are  dam¬ 
aged  or  destroyed  by  an  attack  (or  by  reliability 
failures,  natural  disasters,  and  other  nonadver- 
sarial  hazards). 

The  maximum-flow  problem  is  an  example 
of  a  simple,  even  primitive,  operator's  model 
that  shows  how  the  system  responds  to  losses 
of  sets  of  arcs  (components).  Manipulation  of 
such  a  model  can  reveal  a  system's  functional 
capability  and  remaining  vulnerabilities,  and 
can  guide  measures  to  identify  protective  in¬ 
vestments  that  will  maximize  "the  resilience  of 
the  system  as  a  whole"  for  resources  spent. 
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APPENDIX 

In  this  appendix  we  show  how  to  con¬ 
struct,  for  any  number  of  attacks,  a,  an  ex¬ 
plicit  counterexample  to  the  notion  that  a 
prioritized  list  of  targets  can  be  sufficient  for 
attack  planning,  for  any  number  of  attacks 
from  1  to  a.  For  this  example,  the  target  sys¬ 
tem  consists  of  a  maximum-flow  problem  on 
a  directed  graph,  and  the  optimal  attack  con¬ 
sisting  of  k  arcs  has  no  arc  in  common  with  the 
optimal  attack  containing  k'  arcs,  for  any  k 
k'  from  1  to  a.  We  will  use  parallel,  directed 
arcs  to  illustrate  this  property,  but  it  is 
straightforward  to  replicate  these  results  for 
undirected  arcs,  and  to  add  extra  nodes  in 
each  of  these  arcs  to  create  equivalent  exam¬ 
ples  that  do  not  contain  parallel  arcs.  As  a  con¬ 
sequence  of  this  result,  any  "prioritized  list" 
of  targets  for  this  counterexample  can  only 
yield  the  optimal  attack  plan  for  one  value 
of  k,  and  the  attack  plan  it  suggests  for  any 
other  number  of  attacks  (except  zero  or  a)  will 
be  provably  suboptimal. 

Given  an  integer,  n,  we  construct  our  in¬ 
stance  as  follows.  Define  a  set  N  of  n  nodes, 
numbered  1  to  «.  Between  nodes  k  and  k  +  1 
(for  0  <  k  <  n)  define  n  parallel  arcs.  The  first 
k  of  these  arcs  have  capacity  k,  and  the  remain¬ 
ing  n  -  k  arcs  have  capacity  k  +  n.  Each  of  the 
n  -  1  "layers"  of  parallel  arcs  between  two  con¬ 
secutive  nodes  defined  in  this  way  has  total  ca¬ 
pacity  k2  +  (n  -  k)(n  +  k)  =  n 2,  and  therefore 
the  maximum  flow  on  this  graph  is  n 2 ,  with 
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flow  on  every  arc  at  its  capacity  (i.e.,  all  arcs  are 
saturated). 

The  k-most-vital  arcs  in  this  maximum-flow 
problem  are  the  k  largest  arcs  from  layer  n  -  k, 
(each  of  which  has  capacity  k);  if  they  are  re¬ 
moved  the  remaining  n-k  arcs  in  that  layer  each 
have  capacity  n-k,  yielding  a  resulting  optimal 
flow  of  size  (n  -  k  )2.  This  result  follows  because 
any  set  of  k  arcs  taken  from  any  other  layer  will 
have  less  total  capacity;  layers  that  have  larger- 
capacity  arcs  will  have  fewer  of  those  arcs  avail¬ 
able,  and  layers  with  only  smaller-capacity  arcs 
don't  need  to  be  considered.  Any  set  of  k  most- 
vital  arcs  must  come  from  the  same  layer  (be¬ 
cause  removing  arcs  from  more  than  one  layer 
at  a  time  yields  a  resulting  maximum  flow  that 
is  equivalent  to  removing  fewer  total  arcs  from 
one  of  those  two  layers  alone),  and  choosing 
arcs  from  any  layer  other  than  n  -  k  will  yield 
a  higher  resulting  maximum  flow.  Figure  9  illus¬ 
trates  the  case  n  =  6,  where  each  layer  has  capac¬ 
ity  25  =  n2,  and  the  optimal  one-,  two-,  three-, 
and  four-arc  interdictions  reduce  the  maximum 
flow  by  9,  16,  21,  and  124  units,  respectively, 
yielding  optimal  resulting  flows  16,  9,  4,  and  1. 

Any  prioritized  list  that  has  a  chance  of  be¬ 
ing  optimal  must  only  involve  arcs  from  a  single 
layer,  say,  k,  (because  if  not,  then  for  at  least  one 
k'  the  attack  for  k'  arcs  will  be  no  more  damag¬ 
ing  than  the  attack  with  k'  -  1  arcs).  That  prior¬ 
itized  list  will  feature  the  largest  arcs  first, 
followed  by  the  smallest,  and  will  have  a  linear 
decrease  in  capacity  of  size  ( n  +  k)  units  of  flow 
per  arc  until  n-k  arcs  are  chosen,  at  which  point 
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Figure  9.  Values  for  optimal  (diamonds)  and  prioritized  (squares)  interdictions  from  zero  to  6  attacks  for  an  ex¬ 
ample  on  n  =  6  nodes,  where  the  prioritized  list  is  taken  from  layer  3.  (The  three  largest  arcs  in  layer  3  have  ca¬ 
pacity  3  +  6  =  9,  and  the  three  smaller  arcs  have  capacity  3.) 


it  will  be  the  optimal  (n  -  k)- arc  interdiction,  fol¬ 
lowed  by  a  linear  decrease  (by  k  units  of  flow  per 
arc)  until  the  capacity  is  zero.  This  yields  a  piece- 
wise  linear  approximation  to  the  optimal  se¬ 
quence  of  interdictions,  agreeing  with  the 
optimal  result  only  at  zero,  n  -  k,  and  n  interdic¬ 
tions.  Figure  9  illustrates  the  resulting  maximum- 
flow  capacity  for  an  example  with  n  =  6,  for 


the  optimal  interdictions  of  each  size  and  the  in¬ 
terdictions  resulting  from  the  prioritized  list 
that  would  be  built  from  layer  3. 

Because  any  prioritized  list  can  only  agree 
with  the  optimal  attacks  for  exactly  three  num¬ 
bers  of  attacks,  a  prioritized  list  cannot  be  opti¬ 
mal  for  the  corresponding  counterexample  for 
any  n  greater  than  three. 
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